Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3620311rdh;
        Thu, 28 Sep 2023 18:32:43 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF2tehFA+7fT5HdOePxY5if40KB+pLA0RM/bjhck/J5fHP7rle8r+dzdnYIBL013CY+Wxu8
X-Received: by 2002:a05:6358:71cd:b0:13f:e3eb:53a6 with SMTP id u13-20020a05635871cd00b0013fe3eb53a6mr2760704rwu.30.1695951163543;
        Thu, 28 Sep 2023 18:32:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695951163; cv=none;
        d=google.com; s=arc-20160816;
        b=t+eEhbZGuvizUInpSlktes7+1j70jHxtUmwLyEHdpAGrXYCEh5FoQZjsXxwTN5S00l
         Bdg1Y6abh5AQpchb518IYsOYeGuhibGypkzLeV/1PFpTH+Y+bdxPRYTaVS7Gza4siD6O
         FnXUOjrJXnZbNQKSN7TZVg3Jl7pM6fyOm5ghDyh/13TTxbKl3pH+hrSqPxjMCuBCfuvk
         TkGAPziEzv6VMtPpeoMdw+yVLSxKsNSVRQmpBAYjiLpQEnrcUGNyiIIGiekr0NUkV/dw
         qk8HB3hk4LrEzHgvlD75wdDstRks+Dxe9bqxCSNcU1kAxAZL+fBtzHKdLYysSAJNq0sA
         xXTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=GzU/p1JZOS32BX69GrPsVBZ9IR4/PAQRYwGFGm6EsOg=;
        fh=FcOy9TBhrGHmKHVFET+ayHsTdt26ZMVBpwsulYv31+8=;
        b=OTu8lU4LDTFJ4KeENqQ1mSmJ419JS0EYC1Ty2mLP4oSV9kJpejnMqIm2X8KRd1kALs
         jyLs/PpJaD3LkbyfGB0H1+aEeotqg8eHGqgQjU9Z5etLV8PCFpZzo4v/QhmG855rh3st
         7ieIqhzD8CkKUTmy+ZuBWwTrCc4lOSLtOQJTMDnRb22Lm9whS8imzQJPJycjANuwkEQA
         QR6hsoB1SA1sBYCj6R9wqZpQJqxwF2z+A4lSNdtcMKNtT0nlD4yRTLEePA5FCM1kLiGS
         H60YjnOR2bbGYPoKI62ZW0JCE0mQAzYrm1uTvaMUsZLTr5GayUr6Kxw4wUi9PJlbCdLz
         1/sg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=spWoM0mb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id q2-20020a632a02000000b005777b0c8f59si20861504pgq.478.2023.09.28.18.32.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Sep 2023 18:32:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=spWoM0mb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id 183C983C2243;
	Thu, 28 Sep 2023 08:28:20 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231784AbjI1P2G (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Thu, 28 Sep 2023 11:28:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47164 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231384AbjI1P2F (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Sep 2023 11:28:05 -0400
Received: from smtp-bc0b.mail.infomaniak.ch (smtp-bc0b.mail.infomaniak.ch [IPv6:2001:1600:3:17::bc0b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DBB3AC;
        Thu, 28 Sep 2023 08:28:02 -0700 (PDT)
Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107])
        by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4RxHRg6mXXzMr3yF;
        Thu, 28 Sep 2023 15:27:59 +0000 (UTC)
Received: from unknown by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4RxHRf70HvzMppDN;
        Thu, 28 Sep 2023 17:27:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
        s=20191114; t=1695914879;
        bh=5TbzNnbHjMBaw/hqLYXv0/YPa4xbm8wFAcwV61jhk4M=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=spWoM0mbRhMT5nzVdAn/x+LHYB1Jj7njxIUT6IcE5acIQ30gQlXV+o2IIEzE64pGX
         6pxI++jHHiSfFtzHTzr8XS7txfAxpFMfUoEvnSGItvez3EgaTB8kteU8Vg2UE93QRW
         dTTe90yMw7QhhE8jXssngHGNRjxj7mzulpthbxrc=
Date:   Thu, 28 Sep 2023 17:27:46 +0200
From:   =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To:     Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>,
        Paul Moore <paul@paul-moore.com>,
        "Serge E . Hallyn" <serge@hallyn.com>
Cc:     Ben Scarlato <akhna@google.com>,
        =?utf-8?Q?G=C3=BCnther?= Noack <gnoack@google.com>,
        Jeff Xu <jeffxu@google.com>,
        Jorge Lucangeli Obes <jorgelo@google.com>,
        Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
        Shervin Oloumi <enlightened@google.com>, audit@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v1 0/7] Landlock audit support
Message-ID: <20230928.wae8Caitha7n@digikod.net>
References: <20230921061641.273654-1-mic@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230921061641.273654-1-mic@digikod.net>
X-Infomaniak-Routing: alpha
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 28 Sep 2023 08:28:20 -0700 (PDT)

I talked about this patch series at the Kernel Recipes conference, and
you might want to take a look at the future work:
https://landlock.io/talks/2023-09-25_landlock-audit-kr.pdf

In a nutshell, new syscall flags:
* For landlock_create_ruleset() to opt-in for logging ruleset-related
  and domain-related use
* For landlock_add_rule() to opt-in for logging this rule if it granted
  the requested access
* For landlock_restrict_self() to opt-in for:
  * not log anything
  * handle a permissive mode to log actions that would have been denied
    (very useful to build a sandbox)


On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote:
> Hi,
> 
> This patch series adds basic audit support to Landlock for most actions.
> Logging denied requests is useful for different use cases:
> * app developers: to ease and speed up sandboxing support
> * power users: to understand denials
> * sysadmins: to look for users' issues
> * tailored distro maintainers: to get usage metrics from their fleet
> * security experts: to detect attack attempts
> 
> To make logs useful, they need to contain the most relevant Landlock
> domain that denied an action, and the reason. This translates to the
> latest nested domain and the related missing access rights.
> 
> Two "Landlock permissions" are used to describe mandatory restrictions
> enforced on all domains:
> * fs_layout: change the view of filesystem with mount operations.
> * ptrace: tamper with a process.
> 
> Here is an example of logs, result of the sandboxer activity:
> tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate
> tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0
> op=release-ruleset ruleset=1
> tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9
> tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256
> tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256
> tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1
> tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd"
> 
> As highlighted in comments, support for audit is not complete yet with
> this series: some actions are not logged (e.g. file reparenting), and
> rule additions are not logged neither.
> 
> I'm also not sure if we need to have seccomp-like features such as
> SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and
> /proc/sys/kernel/seccomp/actions_logged
> 
> I'd like to get some early feedback on this proposal.
> 
> This series is based on v6.6-rc2
> 
> Regards,
> 
> Mickaël Salaün (7):
>   lsm: Add audit_log_lsm_data() helper
>   landlock: Factor out check_access_path()
>   landlock: Log ruleset creation and release
>   landlock: Log domain creation and enforcement
>   landlock: Log file-related requests
>   landlock: Log mount-related requests
>   landlock: Log ptrace requests
> 
>  include/linux/lsm_audit.h    |   2 +
>  include/uapi/linux/audit.h   |   1 +
>  security/landlock/Makefile   |   2 +
>  security/landlock/audit.c    | 283 +++++++++++++++++++++++++++++++++++
>  security/landlock/audit.h    |  88 +++++++++++
>  security/landlock/fs.c       | 169 ++++++++++++++++-----
>  security/landlock/ptrace.c   |  47 +++++-
>  security/landlock/ruleset.c  |   6 +
>  security/landlock/ruleset.h  |  10 ++
>  security/landlock/syscalls.c |  12 ++
>  security/lsm_audit.c         |  26 ++--
>  11 files changed, 595 insertions(+), 51 deletions(-)
>  create mode 100644 security/landlock/audit.c
>  create mode 100644 security/landlock/audit.h
> 
> 
> base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70
> -- 
> 2.42.0
>